[Secure-testing-commits] r27514 - doc/security-team.d.o
Paul Mathijs Gevers
elbrus at moszumanska.debian.org
Sat Jun 28 07:47:20 UTC 2014
Author: elbrus
Date: 2014-06-28 07:47:20 +0000 (Sat, 28 Jun 2014)
New Revision: 27514
Modified:
doc/security-team.d.o/security_tracker
Log:
Fix several typos and replace tabs by spaces for correct conversion
Modified: doc/security-team.d.o/security_tracker
===================================================================
--- doc/security-team.d.o/security_tracker 2014-06-28 05:40:41 UTC (rev 27513)
+++ doc/security-team.d.o/security_tracker 2014-06-28 07:47:20 UTC (rev 27514)
@@ -298,7 +298,7 @@
as unfixed. For example, if libxml is in oldstable, but not stable or
unstable, then:
- - libxml <removed>
+ - libxml <removed>
will track oldstable as affected, but stable and unstable as `not-affected`.
@@ -311,18 +311,18 @@
### end-of-life packages
-In some rare cases (i.e. webprowsers) security support for some packages
+In some rare cases (i.e. webbrowsers) security support for some packages
needed to be stopped before the end of the regular security maintenance
life cycle.
Packages which are not anymore supported by the security team in a
-(old-stable release are marked with the end-of-life tag:
+(old-)stable release are marked with the end-of-life tag:
CVE-2011-3973 (cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 ...)
- {DSA-2336-1}
- - libav 4:0.7.1-7 (bug #641478)
- - ffmpeg <removed>
- - ffmpeg-debian <end-of-life>
+ {DSA-2336-1}
+ - libav 4:0.7.1-7 (bug #641478)
+ - ffmpeg <removed>
+ - ffmpeg-debian <end-of-life>
#### <a id="NoteTodo">`NOTE` and `TODO` entries</a>
@@ -333,7 +333,7 @@
descriptive so that it is clear what remains to be done. For example:
CVE-2005-3990 (Directory traversal vulnerability in FastJar 0.93 allows remote ...)
- TODO: check, whether fastjar from the gcc source packages is affected
+ TODO: check, whether fastjar from the gcc source packages is affected
If you are not sure about some decision (e.g. which package is affected) or
triaging (e.g. bug severity) you can leave a TODO note for reviewing,
@@ -366,36 +366,36 @@
**unimportant**: This problem does not affect the Debian binary package, e.g.
a vulnerable source file, which is not built, a vulnerable file
- in `doc/foo/examples/`, PHP Safe mode bugs, path disclosure (doesn't
- matter on Debian).
- All "non-issues in practice" fall also into this category, like
- issues only "exploitable" if the code in question is setuid root,
- exploits which only work if someone already has administrative
- privileges or similar.
+ in `doc/foo/examples/`, PHP Safe mode bugs, path disclosure (doesn't
+ matter on Debian).
+ All "non-issues in practice" fall also into this category, like
+ issues only "exploitable" if the code in question is setuid root,
+ exploits which only work if someone already has administrative
+ privileges or similar.
**low** : A security problem, which has only mild security implications
(local DoS, `/tmp` file races and so on).
**medium** : For anything which permits code execution after user interaction.
- Local privilege escalation vulnerabilities are in this category as
- well, or remote privilege escalation if it's constrained to the
- application (i.e. no shell access to the underlying system, such
- as simple cross-site scripting). Most remote DoS vulnerabilities
- fall into this category, too.
+ Local privilege escalation vulnerabilities are in this category as
+ well, or remote privilege escalation if it's constrained to the
+ application (i.e. no shell access to the underlying system, such
+ as simple cross-site scripting). Most remote DoS vulnerabilities
+ fall into this category, too.
**high** : A typical, exploitable security problem, which you'll really
like to fix or at least implement a workaround. This could
be because the vulnerable code is very broadly used, because
an exploit is in the wild or because the attack vector is
very wide.
- Should be put into that category anything that permits an attacker
- to execute arbitrary code on the vulnerable system (with or
- without root privileges) and high-impact denial-of-service bugs
- (for instance, an IPv4 forwarding path vulnerability which
- requires only very few packets to exploit).
- Significant defects in security software can be rated "high" as
- well (for instance, a vulnerability in a piece of cryptographic
- software which flags forged digital signatures as genuine).
+ Should be put into that category anything that permits an attacker
+ to execute arbitrary code on the vulnerable system (with or
+ without root privileges) and high-impact denial-of-service bugs
+ (for instance, an IPv4 forwarding path vulnerability which
+ requires only very few packets to exploit).
+ Significant defects in security software can be rated "high" as
+ well (for instance, a vulnerability in a piece of cryptographic
+ software which flags forged digital signatures as genuine).
Certain packages may get higher or lower rating than usual, based on
their importance.
@@ -408,8 +408,8 @@
In the meantime, you can add an entry of the form
CVE-2009-XXXX [optipng array overflow]
- - optipng 0.6.2.1-1 (low)
- NOTE: http://secunia.com/advisories/34035/
+ - optipng 0.6.2.1-1 (low)
+ NOTE: http://secunia.com/advisories/34035/
It is desirable to include references
which uniquely identify the issue, such as a permanent link to an
@@ -496,7 +496,7 @@
of security problems for the stable and oldstable distribution. An
entry for a DSA looks like this:
-[21 Nov 2005] DSA-903-1 unzip - race condition
+ [21 Nov 2005] DSA-903-1 unzip - race condition
{CVE-2005-2475}
[woody] - unzip 5.50-1woody4
[sarge] - unzip 5.52-1sarge2
More information about the Secure-testing-commits
mailing list